Feature: add Apple notarization step to release CI pipeline

[jmcte]

Problem

The NATIVE_ONLY_REDESIGN.md document lists notarization as a required gate before shipping the native app to end users, but the release.yml workflow has no notarization step. As a result:

• Binaries published to GitHub Releases are ad-hoc signed only.
• Gatekeeper will quarantine the app on first launch unless users manually run xattr -d com.apple.quarantine.
• The release process relies on a undocumented manual notarization step that is easy to forget.

Proposed Fix

Add a notarize job in release.yml (after the build job, before the publish job) that:

1. Runs on a macOS self-hosted runner with Xcode and an Apple Developer certificate available.
2. Signs the .app bundle with the full Developer ID certificate (not ad-hoc).
3. Submits to Apple Notary Service via xcrun notarytool submit --wait.
4. Staples the notarization ticket via xcrun stapler staple.
5. Zips the stapled bundle and uploads it as the release asset.

Required secrets: APPLE_DEVELOPER_CERT_P12, APPLE_CERT_PASSWORD, APPLE_TEAM_ID, APPLE_NOTARY_KEY_ID, APPLE_NOTARY_KEY_ISSUER, APPLE_NOTARY_PRIVATE_KEY.

If a self-hosted macOS runner is not available for CI, document the manual notarization procedure in docs/INSTALLATION.md as an interim measure with a clear "not yet automated" callout.

Acceptance Criteria

• Release artifacts are signed with a Developer ID certificate (not ad-hoc).
• Notarization ticket is stapled to the .app bundle before packaging.
• Gatekeeper passes on a clean macOS machine without manual quarantine removal.
• Notarization step is skipped (not failed) on non-tag builds to keep PR CI fast.
• Required secrets are listed in docs/bootstrap/onboarding.md.

[jmcte]

Initial pass on branch claude/close-open-issues-MTlan (commit 9a01b99).

Landed:

• New Apple notarize APW.app step in release.yml (skeleton): imports the Developer ID Application certificate into a short-lived keychain, signs the bundle with --options runtime --timestamp, submits the signed zip to Apple Notary Service via xcrun notarytool submit --wait, staples the ticket, and re-zips as dist/APW-<tag>.zip.
• Step is gated if: startsWith(github.ref, 'refs/tags/v') && env.APPLE_DEVELOPER_CERT_P12 != '' && env.APPLE_NOTARY_PRIVATE_KEY != '' so it skips cleanly on dispatch runs and on tag builds where any required secret is absent (with a ::warning:: pointing at the manual xattr -d fallback).
• Apple secrets exposed at the job level so per-step if: can detect their presence without leaking values.
• Publish release assets now uploads both the source tarball and the notarized zip (fail_on_unmatched_files: false).
• Required secrets and the manual fallback are documented in docs/bootstrap/onboarding.md and docs/INSTALLATION.md.

Open: cannot end-to-end test from this branch — needs a tag push on a runner that has all six APPLE_* secrets configured. The keychain bootstrap pattern (short-lived keychain, set-key-partition-list, partition list) is the standard one but has not been exercised on the actual self-hosted macOS runners yet.

---

Generated by Claude Code